Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using Mongodb ObjectID as a document ID?

Tags:

php

mongodb

mongodb-php

I'm trying to make a board with mongoDB.

I want to assign document ID with ObjectID.

If a user can access to a document page by http://www.example.com/4easdf123123 where "4easdf123123" is a mongoDB ObjectID.

Is there any possible security threat, If I use and show mongo ObjectID in URL and using it as a document id?

And any suggestion with assigning document ID with mongoDB?

like image 205
jwchang Avatar asked Aug 16 '11 01:08

jwchang

People also ask

Why ID is ObjectId in MongoDB?

Every document in the collection has an “_id” field that is used to uniquely identify the document in a particular collection it acts as the primary key for the documents in the collection. “_id” field can be used in any format and the default format is ObjectId of the document.

Is ObjectId a UUID?

A MongoDB ObjectID is 12 bytes in size, is packed for storage, and its parts are organized for performance (i.e. timestamp is stored first, which is a logical ordering criteria). Conversely, a standard UUID is 36 bytes, contains dashes and is typically stored as a string.

Does MongoDB auto generate ID?

MongoDB is a NoSQL database that operates with collections and documents. Each document created on MongoDB has a unique object ID property. So when creating a document without entering an ID, the document will be created with an auto-generated ID.

Is ObjectId deprecated?

ObjectID is deprecated in MongoDB Node.

1 Answers

That doesn't look like a MongoDB ObjectID -- an ObjectID is 12 bytes of binary data, and when rendered as a hexadecimal string (the usual way to use it in a URL) it would be 24 characters long. I assume you're using the official PHP Mongo Driver, in which case the MongoId class's constructor will ignore invalid values and generate a new one for you. In any event, it's best to let the driver generate an ObjectID/MongoId for you, as it will do so in a way that avoids collisions.

As for the safety of using it in your URLs, you should be fine. You should, of course, use the usual precautions about implementing code to ensure that the current user has access to view the object being displayed, etc, but there is no more security risk of using an ObjectID in URL than any other database identifier (string, integer, etc), and often there is less, as the ObjectID has no semantic value (whereas a string like "adminuser" in a URL might convey that that URL relates to a user with elevated privileges).

like image 180
dcrosta Avatar answered Sep 30 '22 04:09

dcrosta
Sign in to Comment

Related questions

How to track hacking attempts on a website
Smarty and Kohana
Credit card detail in Magento
PDO: "Invalid parameter number" when substituting multiple parameters with same value
PHP how to check if a day was a holiday (in a specified country)?
Permission denied on mkdir()
Preview CURL request prior to sending it
FPDF error: This document (mine.pdf) probably uses a compression technique which is not supported by the free parser shipped with FPDI [duplicate]
What does "->" mean? [duplicate]
PHP version of CSS Media Queries
PHP imagecreatefromstring(): gd-jpeg, libjpeg: recoverable error
PHPUnit stub throws exception but isn't allowed to be caught
Git for Web Development (procedure method)
Detecting blank generated images with php?
Is DI the only solution to Singleton and/or static objects?
Is there a Ruby equivalent to PHP's extract?
PHP code for adding new place to Google Places via API
PHP calendar with recurring events [closed]
Create iCal Calendar event with PHP
Class extending itself?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!